Cybersecurity Assessments
Learn about cybersecurity assessment resources available for drinking water and wastewater systems.
On this page:
- Cybersecurity Guidance for Drinking Water and Wastewater
- Cybersecurity Risk Self-Assessment Resources
- Cybersecurity Risk Third-Party Assessment Resources
- Cybersecurity Vulnerability Assessment Resources
- Identifying OT at Water Systems
- Addressing Cybersecurity in your America’s Water Infrastructure Act Emergency Response Plan
- Technical Assistance
Resources to Conduct Cybersecurity Assessment
Cybersecurity Guidance for Drinking Water and Wastewater
- EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems (pdf) (447.51 KB)
- Guía de la EPA para mejorar la ciberseguridad en sistemas de agua potable y aguas residuales
Cybersecurity Risk Self-Assessment Resources
- EPA: Water Cybersecurity Assessment Tool and Risk Mitigation Template (xlsx) (248.09 KB)
- Herramienta de evaluación de ciberseguridad hídrica y plantilla de mitigación de riesgos de la EPA
- CISA: Cyber Resilience Review
- CISA: Cross-Sector Cybersecurity Performance Goals
- CISA: Cybersecurity Evaluation Tool
- NIST: Cybersecurity Framework
- Critical Security Controls
Cybersecurity Risk Third-Party Assessment Resources
Cybersecurity Vulnerability Assessment Resources
Identifying OT at Water Systems
- Assessing if a Water & Wastewater System has Operational Technology (pdf) (366.06 KB, 03-15-2024, 810-F-23-031)
Addressing Cybersecurity in your America’s Water Infrastructure Act Risk and Resilience Assessment
Safe Drinking Water Act (SDWA) section 1433, which was amended by America’s Water Infrastructure Act (AWIA) section 2013 in 2018, requires community water systems (CWS) serving more than 3,300 people to prepare or revise risk and resilience assessments (RRAs) and certify to EPA that this work has been completed. SDWA section 1433(a) states that the RRA must include “electronic, computer, or other automated systems (including the security of such systems),” otherwise known as cybersecurity. Therefore, a cybersecurity assessment must be included in the required RRA. EPA provides the free resources to described above to support utilities in conducting a cybersecurity assessment, from a third-party option where a contractor conducts the assessment, using EPA’s Water Sector Evaluation Program to a do-it-yourself option, using the free Water Cybersecurity Assessment Tool.
Technical Assistance
Sign Up for Cybersecurity Technical Assistance: Primacy agencies, drinking water and wastewater systems, circuit riders, and technical assistance providers can submit a question and/or a request for consultation regarding cybersecurity.